NPC should verify first before amplifying rumors of data leak

DECODED: TECH, TRUTH, AND THREATS

By Art Samaniego

The National Privacy Commission (NPC) has launched an investigation into an alleged data breach involving G-Xchange, operator of GCash, a move that, while well-intentioned, exposes a worrying pattern among regulators: acting on online chatter before verifying the facts.

In its press statement, the NPC said it had opened an inquiry after a dark-web post surfaced claiming to offer GCash user information for sale. The post, made by an anonymous actor using the alias “Oversleep8351,” allegedly offered merchant and basic user data, GCash account numbers, linked bank accounts, and eKYC details.

But as of this writing, GCash’s own forensic analysis has found no compromise in its systems, and the alleged dataset does not match its internal data structure.

In fact, GCash noted that many of the supposed records were incomplete, inconsistent, or contained the names of non-users, strongly suggesting that the data circulating did not originate from its environment.

I personally verified a sample of the data released by the alleged hacker on the dark web and found information that clearly does not align with what GCash actually collects from users. The dataset contains mismatched formats, invalid identifiers, and fabricated details, strong evidence that this is not an authentic leak from GCash.

Despite these red flags, the NPC immediately issued a public statement and launched a formal inquiry before verifying the authenticity of the alleged leak. Such a premature move gives unnecessary legitimacy to what could be a fabricated or recycled dataset, a common tactic among cybercriminals to gain notoriety, trigger panic, or bait phishing victims.

Regulators should lead with evidence, not speculation. Announcing an investigation without first confirming the validity of the alleged leak only feeds public anxiety and gives cybercriminals exactly what they want: attention and credibility.

Dark-web “breach” posts are often fake or recycled, intended to pressure companies, mislead the public, or sell old data under new labels. Cybersecurity professionals have repeatedly warned that such listings are designed to confuse, create panic, or build the seller’s reputation among criminal circles.

By reacting too quickly, the NPC may inadvertently legitimize these scams. A more prudent response would have been to quietly verify the dataset with technical experts before issuing a public advisory, and only go public once clear evidence of compromise exists.

The public deserves transparency, but it also deserves competent, fact-based regulation. The NPC’s role is to protect citizens’ data, not to echo rumors circulating on the dark web. In this case, the agency should have waited for forensic confirmation instead of fanning fear.

If the Philippines wants to strengthen its data-privacy control, agencies must learn to balance vigilance with verification, especially in an age where even lies can go viral in seconds.

READ:

NPC urges public vigilance following alleged GCash data leak

RELATED STORY;

Dark web ‘GCash Leak’ likely fake, forensic review finds no signs of breach